Junos software release 12.1R10

Product Affected:

All Juniper Networks platforms running Junos Operating System software

Alert Description:
This bulletin is to notify Juniper Networks customers that Junos software release 12.1R10 has been released. The software and documentation are available for download from the Juniper networks software download page.

Hardware End of Life Reminder - Low memory (512M and 1G) SRX100 and SRX200

Product Affected:

SRX100, SRX110, SRX210, SRX220, SRX240

 
Alert Description:

The low memory SRX100 and SRX200 models will reach an End of Service (EOS) milestone date on May 10, 2014, when they reach the end of sale date, also referred to as last order date. On the last order date, the products are removed from the price list and are no longer available for purchase.

 
Solution:

Please reference the Technical Bulletin TSB16275 for additional details regarding the entire EOS timeline for these products. Login to the CSC is required. Please visit the Juniper Networks Support End of Life page for specific product milestones and dates.

Best Practices for hardening ScreenOS

Summary:

Describes how to harden ScreenOS management.

Problem or Goal:

Cause:

Solution:
To secure ScreenOS against attacks, implement the following recommendations:

Change the default username and password.

Command:set admin name <name>
Example:
set admin name a$df@d

Command:
set admin password <plain-text password>
Example:
set admin password abcdefgh123

Enable manager-ip.  This is device wide and limits the IP addresses that are allowed to manage the device.  All other management requests are silently dropped.

Command:
set admin manager-ip <ip> <mask>
Example: set admin manager-ip 10.1.1.30 255.255.255.255

Enable manage-ip.  This is per interface and allows management requests to an IP address that is different than the physical IP.

Command:
set interface <interface> manage-ip <ip>
Example:
set interface ethernet0/0 manage-ip 10.1.1.5

Disable the physical interface management.  This is per interface, and will allow management to only be accepted for requests sent the manage-ip (see above).

Command:
unset interface <interface> manageable
Example:
unset interface ethernet0/0 manageable

Disable unused services.  This is per interface and will only permit the defined services to respond on the interface. 

Services: ident-reset, mtrace, ping, snmp, ssh, ssl, telnet, web.
Recommendation: permit secure protocols only on management/trusted interfaces (ssl, ssh)

Command:
unset interface <interface> manage
set interface <interface> manage <service>Example:
unset interface ethernet0/0 manage
set interface ethernet0/0 manage ssh

Out of Cycle Security Bulletin: ScreenOS: Malformed SSL packet can cause denial of service (DoS) (CVE-2014-2842)

Product Affected:

This issue can affect ScreenOS 6.3.

Problem:

A denial of service (DoS) issue has been discovered in ScreenOS firewalls that can be exploited by remote unauthenticated attackers. When a malformed SSL/TLS protocol packet is sent to a vulnerable ScreenOS firewall, the firewall crashes and restarts or if in a HA configuration triggers a failover. The issue can be repeatedly exploited to create an extended denial of service condition.

Older versions of ScreenOS have reached the end of support milestone and have not been evaluated for the issue, but are likely affected. Customers are advised to upgrade to a fixed supported release once it is made available.

While Juniper has not seen any malicious exploitation of this vulnerability, the packet has been found in normal network activity.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-2842.

Solution:

 There is no software available at this time to resolve this issue. Software updates will be available in the near future. Until then, the workaround should be used.

This advisory will be updated once software is made available on the support site.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:
Due to the likelihood of the specific packet occurring during normal activity, Juniper recommends disabling HTTPS administration until a software fix is available. This includes disabling HTTPS administration even on internal and protected networks.

This issue is completely mitigated when HTTPS management is disabled.

JUNOS : Configure Express Antivirus

Configuration Task Overview

Configuring express antivirus scanning consists of the following tasks:

• Configuring express antivirus parameters
• Configuring a UTM policy for a protocol and attaching the policy to a profile
• Attaching the UTM policy to a firewall security policy

These tasks are performed in the CLI Configuration below.

CLI Configuration

To activate the express antivirus feature using the default antivirus profile:

1. Define which scan engine you are going to use (in this case, Juniper Scan engine).

user@host# set security utm feature-profile anti-virus type juniper-express-engine

2. Define the UTM policy for the HTTP protocol to be scanned with the default "JUNOS-eav-defaults" antivirus profile.

user@host# set security utm utm-policy custom-utm-policy anti-virus http-profile JUNOS-eav-defaults

3. Apply the UTM policy to a security policy (in this example, security policy called web-access).

user@host# set security policies from-zone trust to-zone untrust policy web-access then permit application-services utm-policy custom-utm-policy

JUNOS: Configure Antivirus Full File-Based Scanning (Kaspersky)

CLI

To verify license installation using the CLI:

1. Run the show system license command, and look for av_key_kaspersky_engine.

user@host> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 0 1 0 2010-12-31 00:00:00 UTC

2. If no license is installed, install the license by entering the following command:

user@host> request system license add terminal

3. Copy the text from the license file, and paste it at the command prompt.

Setting Up Automatic Updates

By default, the antivirus pattern database is configured to automatically update once every 60 minutes.  You also can specify the email notification sent to the administrator when the pattern update is complete.

1. Configure the pattern-updates at a different interval for the Kaspersky scan engine.

user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update url http://update.juniper-updates.net/AV/SRX240
user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update interval 120

Note: "SRX240” in the URL is the platform name. This part of the URL is different and platform specific for each platform. (Other than the platform name, you should not change this URL unless you are experiencing problems with it and have called for support.)

Alternately, you can configure the pattern update manually by entering the following operational command:

user@host> request security utm anti-virus kaspersky-lab-engine pattern-update

2. Define the pattern-update email.

user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify admin-email "admin@juniper.net"
user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify custom-message "Pattern UPDATE Done"
user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify custom-message-subject "AV UPDATE COMPLETE"